What happens after a malicious email reaches employees’ inboxes?

On average, it takes three and half days (83 hours) from the moment a malicious email attack lands in an employees inbox, to when it is discovered by a security team or reported by end users and remediated, says new insight from Barracuda Networks.

Researchers analyzed threat patterns and response practices across 3500 organizations, analyzing what happens after a malicious email bypasses an organization’s security measures and lands in a user’s inbox.

They found that an average organization with 1100 users will experience around 15 email security incidents per month, and on average, 10 employees will be impacted by each phishing attack that manages to get through.

3% of employees will click on a malicious email link

Most worryingly, it was observed that 3 percent of employees will click on a link in a malicious email, exposing the entire organization to attackers. Whilst this figure sounds small, experts reminded businesses that an average organization of 1100 users will have around five users that will click on a link within a malicious email every month, and it only takes one click or reply for an attack to be successful.

Considering it only takes an average of 16 minutes for users to click on a malicious link, so improved investigation and remediation is key, the Threat Spotlight concluded.

Interestingly, two-thirds of the malicious emails which had landed in employees primary inbox were discovered through internal threat hunting investigations launched by the IT team. These investigations can be initiated in a variety of ways. Common practices include searching through message logs or running keyword or sender searches of already delivered mail.

Another 24 percent of incidents were created from user-reported emails, 8.1 percent were discovered using community-sourced threat intelligence, and the remaining 0.4 percent through other sources such as automated or previously remediated incidents.

What should organizations do?

Michael Flouton, VP Product, Barracuda Networks comments: “There is no such thing as cybersecurity software which is 100 percent effective against inbound email attacks, and organizations must prioritize security awareness training sessions for its employees – our research even revealed that organizations that train their users will see a 73 percent improvement in the accuracy of user-reported email after only two training campaigns.

“Organizations should also consider automating incident response systems, adopt threat hunting tools, and share and receive threat intelligence from other companies, all for the purpose of significantly improving incident response times to post-delivery email threats, and catching these malicious attacks before they develop into something more severe.”